Water Security

CDP water risk assessment: a basin level guide

Cristina Alcalá-Zamora · · 9 min read

Why water risk assessment is the heart of Water Security

The CDP Water Security questionnaire scores answers on data, governance, targets, and value chain engagement. But the lever that most consistently separates a B from an A in Water Security is the depth and rigour of the water risk assessment. Companies with strong inventory data but a generic, corporate level risk view rarely move past B. Companies that combine basin level risk analysis with site specific quantification routinely reach A or A minus.

The reason is methodological. Water is fundamentally a local resource. A litre of water withdrawn in southern Spain during a drought year is not equivalent to a litre withdrawn in Norway. CDP scoring rewards companies that understand this and reflect it in their disclosures.

This article explains how to structure a water risk assessment that satisfies CDP, the tools available, and the integration points with broader risk management.

The four dimensions of water risk

CDP and the major water frameworks (CEO Water Mandate, AWS Standard, TNFD) recognise four dimensions of water risk:

Physical risk. Water scarcity, flood, drought, declining quality. The most directly measurable category. Includes both chronic baseline stress and acute event risk.

Regulatory risk. Restrictions on withdrawal, discharge limits, water pricing changes, allocation reforms. Increasingly material as regulators in stressed basins tighten rules.

Reputational risk. Conflict with local communities over shared water sources, NGO campaigns, media exposure of pollution events. Often the trigger for board level attention.

Operational and supply chain risk. Suppliers in water stressed regions, embedded water in raw materials, logistics disruptions from flood or drought.

CDP scoring asks for substantive risks across these dimensions, not generic statements. A risk identified as “physical risk in southern Europe” without quantification, location, or financial impact does not score.

The tools that scorers expect

Three tools dominate water risk assessment:

WRI Aqueduct (World Resources Institute). The most widely used global water risk atlas. Provides scores across 13 indicators including baseline water stress, drought risk, flood risk, water quality, and reputational risk. Free and globally consistent. CDP scorers recognise Aqueduct outputs as a credible baseline.

WWF Water Risk Filter. A complementary tool focusing on basin level context, biodiversity, and ecosystem services. More detailed in some regions, particularly Asia and Africa. Free.

Aqueduct Water Risk Atlas country filters and overlays. Increasingly used to combine water risk with biodiversity (TNFD aligned), agricultural production, and operational footprint.

The strongest water risk assessments use both Aqueduct and Water Risk Filter, and document why one is preferred where they diverge. Custom basin specific tools (such as those produced by water utilities or river basin authorities) add depth for material sites.

Building the assessment, step by step

A water risk assessment that scores well in CDP follows a structured flow:

Step 1: identify all sites. List every operating site, joint venture, and material supplier location with water dependency. The list typically includes manufacturing plants, distribution centres, agricultural sourcing regions, data centres, and key supplier facilities.

Step 2: geocode each site. Latitude and longitude. Aqueduct and Water Risk Filter both require coordinates to retrieve basin level scores.

Step 3: pull baseline risk scores. Run each site through Aqueduct and Water Risk Filter. Capture scores across all relevant indicators (baseline stress, drought, flood, regulatory, reputational, biodiversity).

Step 4: layer site specific data. Match the basin level scores with site specific data: withdrawal volumes, dependence on water, presence of local conflict, regulatory activity. A site with low baseline stress but high withdrawal volume in absolute terms is still a material risk.

Step 5: define materiality thresholds. Define what makes a risk substantive for the company. Common thresholds combine basin stress level (high or extremely high) with site withdrawal volume, criticality of the operation, or supplier concentration.

Step 6: quantify financial impact. For substantive risks, estimate the financial impact. CDP scoring rewards quantitative ranges (e.g., 5 to 15 million EUR potential loss over 5 years) more than qualitative descriptions.

Step 7: define management responses. Each substantive risk needs a documented management response: monitoring, investment, supplier diversification, basin stewardship engagement, or insurance. Risks without responses do not score.

Basin level versus site level

CDP and increasingly investors expect both basin level context and site level specifics. The distinction matters:

  • Basin level: the river basin or aquifer scores from Aqueduct or Water Risk Filter. Provides context. Tells you the water environment around the site.
  • Site level: the actual withdrawal, consumption, discharge, and operational dependence at the site. Provides specifics. Tells you what the company does inside that environment.

A weak risk assessment reports basin scores without site specifics, or vice versa. A strong one combines both: “site X is in a basin scoring high baseline stress, withdraws Y megalitres per year, and represents Z percent of regional withdrawal.” This combination scores in Leadership.

Common pitfalls

Errors that drag down water risk scores:

  • Corporate level only. A risk assessment at corporate level misses the geographic concentration that CDP scores reward.
  • Single tool reliance. Using only Aqueduct without cross checking against Water Risk Filter or basin specific tools.
  • No regulatory analysis. Identifying physical risk but ignoring regulatory tightening in the same basins.
  • Static assessment. CDP rewards dynamic assessments that update annually as conditions change. A 2022 assessment used in 2026 scores poorly.
  • Disconnection from targets. The risks identified should drive the water targets. If the assessment finds extreme stress in three basins and the targets do not address them, scoring suffers.

Integration with broader risk management

The strongest water risk assessments are integrated with three other processes:

Enterprise risk management. Substantive water risks should appear in the corporate risk register, with the same governance and review frequency as other strategic risks.

Supplier risk management. Suppliers in water stressed basins should be flagged in the procurement system. Water risk should inform sourcing diversification decisions.

Climate risk assessment. Water and climate risks are linked but not identical. Drought is a climate driven physical water risk. Flood is both. Reputational water risk often has no direct climate equivalent. CDP rewards distinct treatment of each, with linkages explicitly mapped.

This integration is also what CSRD ESRS E3 and TNFD expect. Doing the work once for water serves three frameworks at once.

What good documentation looks like

For each substantive water risk in your CDP submission, expect to document:

  • The site or basin affected, with geocoordinates.
  • The risk type (physical, regulatory, reputational, supply chain).
  • The timeframe (current, short, medium, long term).
  • The likelihood and magnitude.
  • The financial impact range.
  • The management response, with named owner and budget.
  • The frequency of review.

This documentation typically lives in a structured database, not a Word document. Companies that maintain it as a structured asset score better year on year, because they can update incrementally instead of rebuilding annually.

Where Dcycle fits

Water risk assessment data lives across operational systems, geocoded location databases, basin tools, and risk registers. Dcycle structures this in a single layer, integrating Aqueduct and Water Risk Filter outputs with site specific withdrawal data and financial impact ranges. The output flows directly into CDP Water Security responses, ESRS E3 statements, and TNFD nature disclosures.

To see how this would apply to your operations and basins, request a demo. For the broader context on Water Security disclosure, see the Water Security guide, and for how it fits with CSRD and ESRS E3, the resource hub covers the regulatory side.

Final thought

Water risk assessment is the section of CDP Water Security where the gap between average and excellent responses is widest. Many companies still treat it as a generic exercise, when scorers and increasingly investors expect basin level rigour. Companies that invest in the assessment as a recurring capability, not a one off filing, are the ones whose water disclosures will stand up to scrutiny in the next decade and the ones who actually manage the underlying risks.

CDPWaterSustainabilityCompliance

Related articles

EcoVadis 9 min read

How to improve your EcoVadis score: a practical playbook

Discover what moves your EcoVadis score, how the medal thresholds work, and what to prioritise for Bronze, Silver, Gold, or Platinum in your next assessment.

Read more
ESG 8 min read

ESG data as financial intelligence: the CFO opportunity

ESG data is your company's most valuable AI dataset. Learn how CFOs unlock fleet savings, CBAM exposure, and supply chain risk in minutes, not weeks.

Read more
CSRD 5 min read

The Delegated Act on Simplified ESRS Now Has a Timeline Do You?

The Delegated Act on simplified ESRS arrives before Q4 2026. We explain what changes, who is affected, and what to do now if you are in scope or outside it.

Read more

Collect once. Use everywhere.

See how Dcycle can cut your reporting time by 70% and give your auditors what they need , the first time.

See Dcycle in action